SOC & BUSINESS DRIVEN CYBER THREATSMahmoud YassinLead Security Eng. SOC& NOCNational Bank of Abu Dhabi
v  Business Todayv  Whats business affect on security communityv  Cyber threats and Business targetv  new trends in cy...
BUSINESS TODAY
TODAY’S BUSINESS CLIMATE  •  Running a business in the 21st Century isn’t easy!  •  Security Regulations are abound     • ...
IT SPRAWL HAS BUSINESS ATTHE BREAKING POINT    Business innovation throttled to 30%    •  Time to revenue    •  Cost of lo...
TOMORROW’S BUSINESS WILL BE BUILT ONA CONVERGED INFRASTRUCTURE Security is framework for ALL                              ...
TODAY BUSINESS & INFORMATION SECURITY
SECURITY AND BUSINESS INFRASTRUCTURE                                                                        Vendors       ...
SECURITY WORRIES   •    I worry about a hacker gaining access to our Oracle data base and coping social security        nu...
GETTING THERE                                  v Technical / Tactical                                      q  “Build Suc...
SECURITY PAIN  •  Security investments based on ROSI  •  Executives growing weary       •  Less talk, more revenue  •  Dim...
CYBER THREATS AND BUSINESS TARGET
CYBER RISKS ARE AN INCREASING THREAT TO SOURCES OFENTERPRISE CAPABILITY AND BRAND COMPETITIVENESS   Extortion             ...
MASS-SCALE HACKING   •    Its ROI focused..   •    Its not personal. Automated attacks against mass targets, not specific ...
RECENT INCIDENTS: RISE OF THE PROFESSIONALS •  Estonia: As part of unrest and pro-Russian riots in Tallinn, the Internet- ...
NEW TRENDS IN CYBER THREATS
CYBER SECURITY    Are you the next Victim?                               17
BEFORE 2009              18
2010 - THE YEAR HACKING BECAME A BUSINESS   2010 was the year hacking stopped being a hobby and became a lucrative profess...
WE ARCHIVED 1,419,202 WEB-SITES DEFACE-MENTS          Attacks by month	     Year 2010	                   Jan	             ...
HACKING AS BUSINESS  Hacking isnt a kids game anymore  It had price …$$$...       The Black Market                        ...
HACKING AS SERVICESv    DDoS attacks       The price usually depends on the attack time:       1 hour - US$10-20 (depends...
HACKING AS ORGANIZED CRIMECyber Criminals have become an organized bunch.    they use peer-to-peer payment systems just li...
YEAR 2011   Date	           Site	              2011-04-04	     Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Laws...
CYBER CRIME AND CYBER ESPIONAGE ARE HAVING REALIMPACTS  •    Estimated $1 Trillion of intellectual property stolen each ye...
RSA	  BREACH	    March	  11,	  2011-­‐Breach	  detected	  not	  public	    •  Thursday	  March	  17,	  2011	  story	  brok...
75% OF ATTACKS OCCUR THROUGH WEBAPPLICATIONS - GARTNERv  Approximately 66 vulnerabilities per website were found for a to...
VISIBILITY OF ADVANCED PERSISTENCE THREATS                               -- Invisible -- Source from : Douwe.Leguit@govcer...
TODAY’S THREAT LANDSCAPE                                                                    Undetected Attacks    External...
APPROACH TO TARGET NEW CYBER THREATS
ENTERPRISE SECURITY ARCHITECTURE                           End Point Security        Network        System           Data ...
THE ENTERPRISE TODAY - MOUNTAINS OF DATA, MANYSTAKEHOLDERS                                                      Malicious ...
SECURITY MANAGEMENT IN DYNAMICENVIRONMENT
RISK BASE APPROACH FOR SECURITY MANAGEMENTRisk Management : The Business Modelv  Security is relative:    - Many risks an...
STEPS FOR BETTER SECURITYStep 1 : Know your risks              Internal                                      Regulatory   ...
STEPS FOR BETTER SECURITYStep 2 : Visualize your situation                           System                          Monit...
STEPS FOR BETTER SECURITY Step 3 : Knowing your enemy’s behavior  You need an  Investigation Tools  •  for pervasive     v...
WHAT’S IN A SOC    What is it? What does it do? What’s a good one and    what’s a bad one? Is it worth the time/money?
TOP TECHNICAL ISSUES   •    Increase Speed of Aggregation and Correlation   •    Maximize Device and System Coverage   •  ...
SOC FRAMEWORKIndustry Standards and                                                         Service Delivery              ...
SOC OR OPERATIONAL SOC…  Server Engineering   Business Ops.    Compliance Audit   Risk Mgmt.     Security Ops.        Desk...
THE 3 (MAIN) FUNCTIONS OF A SOC   •    The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency   •    ...
PRIORITIZATION AND REMEDIATION   •  Deal with what’s most relevant to the business first!       •  Gather asset data      ...
SOC AND BUSINESS EXPECTATION   Historical                 Todays Scenario                              Business Oriented  ...
SOC ANATOMY      ü Conduct tests to verify control is                                                 ü Monitor environm...
SOLUTION MAPPING TO SOC SERVICES    Threats & Vulnerability     Impact Analysis &        Risk      Monitor &    identifica...
SOC ARCHITECTURE   Data-Center 1                                        To Other Business Units                           ...
PROACTIVE SOC APPROACH                                                                   Security Analytics               ...
PEOPLE, PROCESS, OR TECHNOLOGY PROBLEM?
SOC OPERATIONAL MODEL (PEOPLE)                            L3:              Security Incident                              ...
SOC Operational model (process)                          Network                                               SOC        ...
SOC OPERATIONAL MODEL (TECHNOLOGY)              Baseline   Correlated       Report             Realtime                  I...
SOC KEY DIFFERENTIATION AREAS
INTEGRATED CMDB                                                                      CMDB Data•  Configuration Management ...
WHAT OUR CUSTOMER DATA TELLS US 21% is everything               22% are how-to   else combined                 related – p...
INCIDENT MANAGEMENTKEEP USERS AND DATA CENTER SERVICES UP AND RUNNING, AND RESTORESERVICE QUICKLY  •  Process workflows   ...
CASE MANAGEMENTENABLES ORGANIZATIONS TO IDENTIFY AND TRACK PROBLEMS •    Problem creation from similar incidents or      A...
CHANGE MANAGEMENTMINIMIZE ERRORS AND REDUCE RISK•  Typical Change Models    •  Standard, Major, Emergency…    •  Review an...
VULNERABILITY MANAGEMENT PROCESS                    1. DISCOVERY                    (Mapping)                             ...
INVESTIGATIONS AND FORENSICS  •    Being able to investigate and manipulate data  •    Visualization  •    Post-event corr...
SCENECRIME SCENE   CRIME SCENE   CRIME SCENE                                          61
II. CISRT    -    Organization decision of building a team based on size and ROSI    -    Compose team or select members w...
Q&AMahmoud.yassin@nbad.commyassin75@gmail.com   THANK YOU                15/05/2012   63
Upcoming SlideShare
Loading in …5
×

Isc2conferancepremay15final

277 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
277
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Isc2conferancepremay15final

  1. 1. SOC & BUSINESS DRIVEN CYBER THREATSMahmoud YassinLead Security Eng. SOC& NOCNational Bank of Abu Dhabi
  2. 2. v  Business Todayv  Whats business affect on security communityv  Cyber threats and Business targetv  new trends in cyber threatsv  Approach to target new cyber threatsv  Security management in Dynamic environmentv  SOC or OPSOCv  Recommended Action for SOC in New Threats
  3. 3. BUSINESS TODAY
  4. 4. TODAY’S BUSINESS CLIMATE •  Running a business in the 21st Century isn’t easy! •  Security Regulations are abound •  62% of companies spend more on compliance than protection* •  Evolution of technology and business demands has resulted in highly diverse environments •  Managing increasing number of vulnerabilities in the face of sophisticated threats •  Difficulties in aligning People, Process and Technology •  Challenges in leveraging security knowledge and business process *Source: Riren
  5. 5. IT SPRAWL HAS BUSINESS ATTHE BREAKING POINT Business innovation throttled to 30% •  Time to revenue •  Cost of lost time, effort, opportunity •  Unpredictable business cycles 70% captive in operations and maintenance •  Rigid & aging infrastructure •  Application & information complexity •  Inflexible business processes 92% 84% 8 out of 10 Believe business cycles will continue to Agree innovation is critical to Business & technology approach be unpredictable in coming few years success in the new economy needs to be more flexible to meet changing customer needs
  6. 6. TOMORROW’S BUSINESS WILL BE BUILT ONA CONVERGED INFRASTRUCTURE Security is framework for ALL Unleash the potential Storage Servers •  Any application, anywhere •  Flex resources on demand •  Unlock productivity •  Predictable continuity of service •  Faster time to business value Power & Network cooling Building on what you have today All on Management secure Platform software Virtualized • Resilient • Orchestrated • Optimized • Modular and Secure 6
  7. 7. TODAY BUSINESS & INFORMATION SECURITY
  8. 8. SECURITY AND BUSINESS INFRASTRUCTURE Vendors Partners Business Cloud Business Cloud Clients Cloud Business demands strain ITDiversity of IT and Security and Security in the light of diversity Multi-Tier Application Traditional application Architecture Web application security development complicates security visibility Security begins to diverge Client Server Security is Client / Server as systems become more client base Mainframes distributed Mainframe Centralized Business security Security incorporated into the system Pre 1980’s 1980’s-1990’s 2000s 2010’s
  9. 9. SECURITY WORRIES •  I worry about a hacker gaining access to our Oracle data base and coping social security numbers •  I worry about, a converged network, if the network goes down you loose both voice and data, increasing the risk and worry •  I worry about staff, I cant protect the network from internal sabotage, disgruntled network administrators, IT personal, etc •  I worry about new computers being plugged into the network after they have been off net •  I worry about the new wide range of handheld IP devices which people plug in at will from near and far flung locations •  I worry about security in public cloud •  I Worry about Virtual environment it have 60 % of my server power •  I worry about employees working at home bridging networks via WLANs opening up access to our network Source: Nick Lippis, Trusted Networks Symposium
  10. 10. GETTING THERE v Technical / Tactical q  “Build Success Early”Establish meaningful, early-win q  Risk ManagementRisk Approach q  Define Threats Landscape v ManagementAlign People & Process to “Organize and Architect”meet multiple Regulations o  Information Security Management Framework v Technical / StrategicIncrease technical visibility, “Actionable Foundation”command and control o  Integrated Security Operations Capability o  Network Access Control v Business ManagementEmploy metrics to measure o  “Balanced Approach to the Business”against the business goals o  Security Services Management
  11. 11. SECURITY PAIN •  Security investments based on ROSI •  Executives growing weary •  Less talk, more revenue •  Diminishing expectations of security investments •  “More money? What did you do with the last check?” •  Constant deluge of “new” security problems •  Regulatory compliance challenges •  Cultural challenges inside and outside IT •  Cyber Security & Advanced Persistence threat
  12. 12. CYBER THREATS AND BUSINESS TARGET
  13. 13. CYBER RISKS ARE AN INCREASING THREAT TO SOURCES OFENTERPRISE CAPABILITY AND BRAND COMPETITIVENESS Extortion •  Phishing and pharming driving increased Now customer costs, especially for financial services sector •  DDOS extortion attacks Loss of intellectual •  National security information/export controlled property/data information •  Sensitive competitive data •  Sensitive personal/customer data Now Potential for disruption •  E-Business and internal administration •  As part of cyber conflict •  Connections with partners (i.e. Estonia) •  Ability to operate and deliver core services •  As target of cyber protest (i.e. anti-globalization) Potential accountability for •  Reputational hits; legal accountability Emerging misuse (i.e. botnets) Potential for data corruption •  Impact operations or customers through data Terrorism •  DDOS and poisoning attacks •  Focused attacks coordinated with physical Now attacks 13
  14. 14. MASS-SCALE HACKING •  Its ROI focused.. •  Its not personal. Automated attacks against mass targets, not specific individuals. •  Its multilayer. Each party involved in the hacking process has a unique role and uses a different financial model. •  Its automated. Botnets exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware and manipulate search engine results. •  Common attack types include: •  Data theft or SQL injections. •  Business logic attacks. •  Denial of service attacks. Source: Amichai Shulman 14
  15. 15. RECENT INCIDENTS: RISE OF THE PROFESSIONALS •  Estonia: As part of unrest and pro-Russian riots in Tallinn, the Internet- embracing nation undergoes massive online attacks from ethnic Russians •  Zeus Trojan: Zeus Trojan, capable of defeating the one-time password systems used in the finance sector, targets commercial bank accounts and has gained control of more than 3 million computers, just in the US •  Stuxnet : Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems,[1] it is the first discovered malware that spies on and subverts industrial systems,[2] and the first to include a programmable logic controller (PLC) rootkit.[3][4] 15
  16. 16. NEW TRENDS IN CYBER THREATS
  17. 17. CYBER SECURITY Are you the next Victim? 17
  18. 18. BEFORE 2009 18
  19. 19. 2010 - THE YEAR HACKING BECAME A BUSINESS 2010 was the year hacking stopped being a hobby and became a lucrative profession practiced by underground of computer software developers and sellers. It was the year when cyber-criminals targeted everything from MySpace to Facebook. Are you one of the victim in June? 19
  20. 20. WE ARCHIVED 1,419,202 WEB-SITES DEFACE-MENTS Attacks by month   Year 2010   Jan   53,915   Feb   57,867   Mar   73,712   Apr   95,078   May   83,182   Jun   81,865   Jul   87,364   Aug   63,367   Sep   185,741   Oct   194,692   Nov   258,355   Dec   184,064   Total 1,419,202 Source : trend Micro 20
  21. 21. HACKING AS BUSINESS Hacking isnt a kids game anymore It had price …$$$... The Black Market USD Trojan program to steal online account information $980-$4,900 Credit card number with PIN $490 Billing data, including account number, address, Social Security $78-$294 number, home address, and birth date Drivers license $147 Birth certificate $147 Social Security card $98 Credit card number with security code and expiration date $6-$24 PayPal account logon and password $6 21 Data source: Trend Micro
  22. 22. HACKING AS SERVICESv  DDoS attacks The price usually depends on the attack time: 1 hour - US$10-20 (depends on the seller) 2 hours - US$20-40 1 day - US$100 + 1 day - From US$200 (depends on the complexity of the job) It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.v  Spam Hosting: US$200 Dedicated spam server US$500 10,000,000 Mails per day US$600 SMS spam (per message) US$0.2 ICQ (1,000,000) US$150v  Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be detected even by the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t it?)v  Rapid Share premium accounts: (Server hosting) 1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28 22
  23. 23. HACKING AS ORGANIZED CRIMECyber Criminals have become an organized bunch. they use peer-to-peer payment systems just like theyre buying and selling on eBay, and theyre not afraid to work together.Software as a Service for criminals Attackers use sophisticated trading interfaces to classify the stolen accounts by the FTP server’s country of origin and the compromised site’s Google page ranking. This information enables attackers to determine cost of the compromised FTP credentials for resale to cybercriminals or to leverage themselves in an attack against the more prominent Web sites.Malware that encrypts data and then demands money to provide the decryption key – FileFixPro 23
  24. 24. YEAR 2011 Date   Site   2011-04-04   Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit   2011-04-20   Sony PSN Offline   SONY Cases - April-June 2011 2011-04-26   2011-04-26   2011-04-27   PSN Outage caused by Rebug Firmware   PlayStation Network (PSN) Hacked   Ars readers report credit card fraud, blame Sony   2011-04-28   Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe   2011-05-02   Sony Online Entertainment (SOE) hacked SOE Network Taken Offline   2011-05-03   Sony Online Entertainment (SOE) issues breach notification letter   Anonymous leaks Bank of America 2011-05-05   2011-05-06   2011-05-07   Sony Brings In Forensic Experts On Data Breaches   Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony   Sony succumbs to another hack leaking 2,500 "old records"   e-mails 2011-05-14   2011-05-17   2011-05-18   Sony resuming PlayStation Network, Qriocity services   PSN Accounts still subject to a vulnerability   Prolexic rumored to consult with Sony on security   2011-05-20   Phishing site found on a Sony server   2011-05-21   Hack on Sony-owned ISP steals $1,220 in virtual cash   2011-05-22   Sony BMG Greece the latest hacked Sony site   2011-05-23   LulzSec leak Sonys Japanese Websites  Lulz Security hackers target Sun website 2011-05-23   2011-05-24   2011-06-02   PSN breach and restoration to cost $171M, Sony estimates   Sony says hacker stole 2,000 records from Canadian site (Sony Erricson)   LulzSec versus Sony Pictures   2011-06-02   Sony BMG Belgium (sonybmg.be) database exposed   2011-06-02   Sony BMG Netherlands (sonybmg.nl) database exposed   2011-06-02   Sony, Epsilon Testify Before Congress   Hong Kong Stock Exchange Website 2011-06-03   2011-06-05   2011-06-05   Sony Europe database leaked   Latest Hack Shows Sony Didnt Plug Holes   Sony Pictures Russia (www.sonypictures.ru) databases leaked   Hacked, Impacts Trades 2011-06-06   2011-06-06   2011-06-08   LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet)   LulzSec hits Sony BMG, leaks internal network maps>   Sony Portugal latest to fall to hackers   2011-06-08   Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation)   2011-06-11   Spain Arrests 3 Suspects in Sony Hacking Case   2011-06-20   SQLI on sonypictures.fr   24 2011-06-23   Class Action Lawsuit Filed Against Sony/SCEA  
  25. 25. CYBER CRIME AND CYBER ESPIONAGE ARE HAVING REALIMPACTS •  Estimated $1 Trillion of intellectual property stolen each year (Gartner & McAfee, Jan 2010) •  Cybercrime up 63% in 2011 (McAfee) •  Topped $20 Billion at financial institutions •  Reported cyber attacks on U.S. government computer networks climbed 40% in 2011 •  RAS Breaches workers breached (March 2011) •  DigiNotar Bankrupt (2011) 25 Source: Report of the CSIS Commission on Cyber security for the 44th Presidency
  26. 26. RSA  BREACH   March  11,  2011-­‐Breach  detected  not  public   •  Thursday  March  17,  2011  story  broke   •  Threat  Intelligence  Commi@ee  Call   •  Friday  March  18,  2011   •  Cyber  UCG  call     •  NCI  call  with  DHS   •  Threat  Intelligence  Commi@ee  Call  w/RSA   •  FS-­‐ISAC  Membership  Call  w/RSA   •  NCI  call   •  MiMgaMon  Report  Working  Group  Calls   •  MiMgaMon  Report  
  27. 27. 75% OF ATTACKS OCCUR THROUGH WEBAPPLICATIONS - GARTNERv  Approximately 66 vulnerabilities per website were found for a total of 210,000 vulnerabilities over the scanned population.v  50% of the websites with instances of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure. Web Security Risk are Growing • Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database. • Sources: http://www.acunetix.com/news/security-audit-results.htm 27
  28. 28. VISIBILITY OF ADVANCED PERSISTENCE THREATS -- Invisible -- Source from : Douwe.Leguit@govcert.nl April 2010 28
  29. 29. TODAY’S THREAT LANDSCAPE Undetected Attacks External Attacks Vulnerabilities and compromised Trojans, viruses, worms, phishing .. machines may lay dormant for Not protected by firewalls. Requires months, awaiting an attacker to IPS exploit them. Requires vulnerability Intrusion Vulnerability awareness and end-point intelligence. Prevention Assessment Network Intelligence User Intelligence Network Network Behavior Access Porous Perimeter Analysis (NBA) Information Leakage Control (NAC) Every machine a peering point Point-point VPNs + desktop and Laptops carry infection past mobile internet connections firewalls. Requires IDS provide ample opportunity. Requires compliance monitoring and enforcement
  30. 30. APPROACH TO TARGET NEW CYBER THREATS
  31. 31. ENTERPRISE SECURITY ARCHITECTURE End Point Security Network System Data Application Security Security Security Security Operational Security Physical / Data Center Security Personnel Security Security Management 31
  32. 32. THE ENTERPRISE TODAY - MOUNTAINS OF DATA, MANYSTAKEHOLDERS Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized False Positive Service Detection Reduction IP Leakage Web server Web cache & proxy logsUser Monitoring activity logs SLA Monitoring Content management logs Switch logs IDS/IDP logs VA Scan logs Router logs Windows Windows logs VPN logs domain logins Firewall logs Wireless access logs Linux, Unix, Oracle Financial Windows OS logs Logs Mainframe Client & file logs DHCP logs server logs San File VLAN Access Access & Control logs Database Logs Logs 32 Sources from RSA
  33. 33. SECURITY MANAGEMENT IN DYNAMICENVIRONMENT
  34. 34. RISK BASE APPROACH FOR SECURITY MANAGEMENTRisk Management : The Business Modelv  Security is relative: - Many risks and Many solutionsv  Security is everyone’s Businessv  Security is a process - Things fail all the timev  Variety of options: - Accept the risk - Mitigate the risk with People/Procedure/Technology - Transfer the risk 34
  35. 35. STEPS FOR BETTER SECURITYStep 1 : Know your risks Internal Regulatory And And External Compliance Threats Force Business ROSI System Cost of Doing Data(Return on Security Asset Business Investment) Application Vulnerability and Process -  Risk Assessment / Compliance Assessment -  Vulnerability Assessment -  Web Application Assessment / PenTest 35
  36. 36. STEPS FOR BETTER SECURITYStep 2 : Visualize your situation System Monitoring Logs Intelligent and Consolidation Correlation SIEM Security Information & Event Solution Management SOC Security Operation Center Incident Management ITIL Process 36
  37. 37. STEPS FOR BETTER SECURITY Step 3 : Knowing your enemy’s behavior You need an Investigation Tools •  for pervasive visibility into content and behavior •  Providing precise and actionable intelligence 37
  38. 38. WHAT’S IN A SOC What is it? What does it do? What’s a good one and what’s a bad one? Is it worth the time/money?
  39. 39. TOP TECHNICAL ISSUES •  Increase Speed of Aggregation and Correlation •  Maximize Device and System Coverage •  Improve Ability to Respond Quickly •  Deliver 24 x 7 Coverage (this doesn’t have to be done by the SOC!) •  Support for Federated and Distributed Environments •  Provide Forensic Capabilities •  Ensure Intelligent Integration between SOCs and NOCs
  40. 40. SOC FRAMEWORKIndustry Standards and Service Delivery Tools Web Portal Best Practices (Helpdesk, Monitoring, Mgmt., (Operational Reporting, Windows Configuration, Automation/ (ITIL, BS7799/ISO17799, Advisories) (24x7, 8x5, 12x7 ) SANS, CERT) Workflow) Security Center of Excellence Command Center Knowledgebase (Test bed, Technology (Incident & Problem Mgmt.,Innovation, Knowledge Mgmt., Testing, Product evaluation) Trainings ) Infra. Mgmt. Stream Security Mgmt. StreamProgram Management Device Supervision Security (Performance, Incident, Monitoring People Resource (Customer interface, Monitoring) (cross skilling, rotation, Escalation mgmt., Strategic training, ramp-up and scale assistance, Operational supervision, quality control) Security Change down) Device Operations (Change, Vendor Mgmt., Installation, Configuration) Security Advisory Incident Management Service Delivery Operational Models (Onsite, Near Shore and (SOC and ODC) Offshore) Reporting
  41. 41. SOC OR OPERATIONAL SOC… Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database Report Baseline Alert/Correlation Asset Ident. Forensics Compliance Operations Security Operations Access Control Access Control Enforcement Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt. Malicious Software False Positive Reduction Policy Enforcements Real-time Monitoring User Monitoring & Management Unauthorized Network Service Detection Environmental & Transmission Security More… All the Data Log Management Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required …For Compliance & Security Operations
  42. 42. THE 3 (MAIN) FUNCTIONS OF A SOC •  The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency •  What does the SOC do? 1.  Real-time monitoring / management •  Aggregate logs •  Aggregate more than logs •  Coordinate response and remediation •  “Google Earth” view from a security perspective 2.  Reporting / Custom views •  Security Professionals •  Executives •  Auditors •  Consistent 3.  After-Action Analysis •  Forensics •  Investigation •  Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability •  Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
  43. 43. PRIORITIZATION AND REMEDIATION •  Deal with what’s most relevant to the business first! •  Gather asset data •  Gather business priorities •  Understand the business context of an incident •  Break-down the IT silos •  Coordinate responses •  Inform all who need to know of an incident •  Work with existing ticketing / workflow systems •  Threat * Weakness * Business Value = Risk •  Deal with BUSINESS RISK
  44. 44. SOC AND BUSINESS EXPECTATION Historical Todays Scenario Business Oriented Technology Based Services IT Risk Management •  IT Risk Dashboard Monitoring & Management : •  Sustaining Enterprise Security •  Firewalls Control •  IDS/IPS •  Meeting Industry Process •  VPN Concentrators •  Antivirus Compliance Driven •  Content-Filtering •  Security Control Assessment •  Enforcing enterprise security policies •  Log Management •  Incident Management •  Audits
  45. 45. SOC ANATOMY ü Conduct tests to verify control is ü Monitor environment continuously for effective new threats & vulnerabilities ü  Report residual risk ü Analyze risk is acceptable ü Management signoff for residual risk 5 5 Monitor & & Monitor Verify Control Analyze Verify Control Analyze 66 effectiveness effectiveness ü Identify Business units & servicesü Verify control mechanism 44 Identify & Identify & ü Identify Applicable Regulationsü Control recommendation & Define ü Discover & Classify Assets IT Risk Proactive Define benefit analysis ü Assign Values to assetsü Prepare/Modify Risk Mitigation Risk Management IT Risk ü Define Policies , procedures , Risk Plan Mitigation Management 1 standards & Guidelinesü Execute mitigation Plan / Mitigation 1 ü Establish process Implement new controls Threats & ü Identify Threat sources Threats & Vulnerability ü Identify Potential threats 3 Impact Analysis Impact & Risk identification Vulnerability ü Scan Assets for vulnerabilities ü Analyze Likelihood of threat 3 Analysis & determination identification ü Prioritize Vulnerabilities exploitation Risk 2 ü Identify existing Control mechanism ü Identify Magnitude of impact on determination 2 ü Review existing mitigation plan business ü Review Procedures & process ü Prioritize Risks ü  Review existing control mechanism
  46. 46. SOLUTION MAPPING TO SOC SERVICES Threats & Vulnerability Impact Analysis & Risk Monitor & identification(Zero Day Risk Determination Mitigation Analyze Attack Detection) • Vulnerability Assessment • Penetration Testing • Infrastructure Assessment Service • Recommendation of Security Control • Implementation of Security controls • Security Device Management • End User Security Control • 24x7 Monitoring of security events • Enterprise Incidence Response • Enterprise Risk Dashboard • Compliance Reports • Etc, etc
  47. 47. SOC ARCHITECTURE Data-Center 1 To Other Business Units Data-Center n SERVER FARM SERVER FARM Corporate WAN SERVER FARM SERVER FARM Storage Storage SOC Centralized Management L2 Risk Monitoring L3 Portal L1 •  Threat Analysis -  Risk Mitigation Plan •  Risk Assessment -  Control Verification •  Manage Performance •  Performance Monitoring -  Compliance impact •  Manage Availability •  Security Monitoring analysis •  Trend analysis and Reporting •  Availability Monitoring -  Manage new requirements •  Compliance Management •  Scheduled Reporting Support Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
  48. 48. PROACTIVE SOC APPROACH Security Analytics Logs Security Operations & Management Event Correlation Proactive Intelligence Forensics Incident Mgmt Reports & Problem Mgmt Statistics Infrastructure Assessment Service Release Mgmt Vulnerability Assessment Change Mgmt & Penetration Testing Knowledgebase Configuration Mgmt Vulnerability Management Customized Advisories Standards –service Customer BSI 15000, ITIL, Technical support etc. ISO, ISO27001
  49. 49. PEOPLE, PROCESS, OR TECHNOLOGY PROBLEM?
  50. 50. SOC OPERATIONAL MODEL (PEOPLE) L3: Security Incident SOC Service Delivery Structure Managers -  Incident Handling & Closure -  Service Mgmt. Reporting -  Compliance impact analysis L2: Security Analysts -  Manage new requirements -  Performance Mgmt. -  Problem Mgmt. -  Change & Release Mgmt. -  Incident Analysis & Validation -  Configuration Mgmt. -  Vulnerability Assessment & -  Service Level Mgmt. Remediation support -  Availability & Continuity Mgmt. -  Device mgmt. tasks -  Trend monitoring & analysis L1: Security Operators -  Vulnerability Impact Analysis -  Escalation Management -  Compliance reporting SOC Operations -  Security Event Managers Monitoring -  Incident Detection & SOC Management Team 1st level analysis -  Resource management, skill -  Routine development maintenance & -  Operational process operational tasks Improvement -  Operational -  Program Escalation reporting Management Knowledgebase/ Threat -  Customer Management Security Portal Alert & Advisory -  SOC Incident Management SOC Engineering SOC Security Vendor Management COEs -  Management of SOC tool -  Technical Support -  Threat A&A -  Administration of SOC security configuration -  Incident Escalation -  Innovation -  Implementation projects -  Enhancement to SOC tools -  Product Support -  Benchmarks -  Compliance Mgmt. -  Architecture design of SOC -  Trainings -  Reuse Component/solutions -  Incident Mgmt. -  Transformation Projects for -  Enhancement projects SOC
  51. 51. SOC Operational model (process) Network SOC Industry Sources Tool Foot Print Dashboard view via portal Firewalls N F C O I N I T E O R N L E SD R HEWLETT PACKARD R L G M T E L I A E L A I N L R G I T E I I E E Z N O N G R E N C E S IDS Agent Manager Asset Asset Syslogs Alerts & normalize Vulnerability Criticality SNMP log data Raw log data Information & Action Real Time Normalised Alerts Real Time Security Analysis Alert Management Consolidated Logs Response & Remote management from -SOC Management
  52. 52. SOC OPERATIONAL MODEL (TECHNOLOGY) Baseline Correlated Report Realtime Interactive Integrated Incident Alerts Forensics Query Analysis Mgmt. Event Explorer Analyze Manage Collect Collect Collect UDS Windows Netscreen Cisco Juniper Microsoft Trend Micro Device Device Server Firewall IPS IDP ISS Antivirus Supported Devices Legacy
  53. 53. SOC KEY DIFFERENTIATION AREAS
  54. 54. INTEGRATED CMDB CMDB Data•  Configuration Management Database (CMDB) features: •  Connectors sync data with external systems Config Work Items Items •  Create, update, and view CIs •  Create relationships among CIs, WIs, IT staff, and Active Directory® Domain Services (AD DS) users Relationships •  Automatically track CI change history •  Service definition and mapping Integrated | Efficient | Business
  55. 55. WHAT OUR CUSTOMER DATA TELLS US 21% is everything 22% are how-to else combined related – poor / (“unclassified” or improper ‘other’) operations of the environment 33% were due to Installation issues 48% Operational issues account Misconfiguration for 76% of Critical Situations (CritSits) 67% POST installation ‘changes’ 6% due to KNOWN bugs- 3% already fixed NEW bugs
  56. 56. INCIDENT MANAGEMENTKEEP USERS AND DATA CENTER SERVICES UP AND RUNNING, AND RESTORESERVICE QUICKLY •  Process workflows •  Escalations •  Notifications •  Customizable templates •  Knowledge & History •  Automatic incident creation •  Desired Configuration Monitor (DCM) errors •  Operations Manager alerts •  Inbound Email •  Portal
  57. 57. CASE MANAGEMENTENABLES ORGANIZATIONS TO IDENTIFY AND TRACK PROBLEMS •  Problem creation from similar incidents or Attacks •  Link Incidents and Change requests to problem •  Auto resolution of Incidents linked to the Problem
  58. 58. CHANGE MANAGEMENTMINIMIZE ERRORS AND REDUCE RISK•  Typical Change Models •  Standard, Major, Emergency… •  Review and Manual activities•  Customizable Templates•  Workflows and Notifications•  Analyst Portal •  Approvals via Web•  Relate Change Requests to Incidents, Problems and Configuration Items
  59. 59. VULNERABILITY MANAGEMENT PROCESS 1. DISCOVERY (Mapping) 2. ASSET 6. VERIFICATION PRIORITISATION (Rescanning) (and allocation) 5. REMEDIATION 3. ASSESSMENT (Treating Risks) (Scanning) 4. REPORTING (Technical and Executive)
  60. 60. INVESTIGATIONS AND FORENSICS •  Being able to investigate and manipulate data •  Visualization •  Post-event correlation •  Managing by case / incident •  Chain of custody •  Integrity of data
  61. 61. SCENECRIME SCENE CRIME SCENE CRIME SCENE 61
  62. 62. II. CISRT -  Organization decision of building a team based on size and ROSI -  Compose team or select members who can escalate and do initial necessary action. -  Train the team based on situations and scenarios the most common -  Acquire the required tools 62
  63. 63. Q&AMahmoud.yassin@nbad.commyassin75@gmail.com THANK YOU 15/05/2012 63

×